Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Splunk (HEC)

Prerequisites

Splunk Authentication Token and network access to the Splunk indexer.

Creating a Splunk Token

Got to the Settings Menu--> Tokens

observIQ docs - Splunk (HEC) - image 1

Example: Creating a Token within Splunk

observIQ docs - Splunk (HEC) - image 2

Network Requirements

Network access to the Splunk indexer, TCP: 8088 is the default.

Supported Platforms

PlatformLogsMetricsTraces
Linux
Windows
macOS

Configuration Table

ParameterTypeDefaultDescription
tokenstringAuthentication token used when connecting to the HTTP Event Collector.
indexstringOptional name of the Splunk index targeted.
hostnamestringlocalhostHostname or IP address of the HTTP Event Collector.
portint8088TCP port to which the exporter is going to send data.
pathstring/services/collector/eventThe HTTP API path to which the exporter is going to send data.
max_request_sizeint2097152The maximum size (in bytes) of a request sent to the destination. A value of 0 will send unbounded requests. The maximum allowed value is 838860800 (~800MB).
max_event_sizeint2097152The maximum size (in bytes) of an individual event. Events larger than this will be dropped. The maximum allowed value is 838860800 (~800MB).
enable_compressionbooltrueCompress telemetry data using gzip before sending.
enable_tlsboolfalseWhether or not to use TLS.
insecure_skip_verifyboolfalseEnable to skip TLS certificate verification.
ca_filestringCertificate authority that is used to validate TLS certificates.

Configuration

Example: Splunk Destination configuration

observIQ docs - Splunk (HEC) - image 3

Supported Retry and Queuing Settings

This destination supports the following retry and queuing settings:

Sending QueuePersistent QueueRetry on Failure